Policy —

The top 5 things we’ve learned about the NSA thanks to Edward Snowden

And the top 5 things that have happened as a result of the whistleblowing.

“A substantial misrepresentation”

One of the most immediate effects of Snowden’s disclosures was the beginning of the NSA looking inward. The head of the NSA, Gen. Keith Alexander, testified before a Congressional hearing that as of June 2013, there were approximately 1,000 NSA system administrators similarly credentialed to Edward Snowden. Alexander revealed new plans that would require two-person authorization for any employee to download the kind of data Snowden did.

“This is a huge problem,” Alexander said. “We’re coming up with a two-person rule to make sure we have a way to block [such wide access].”

By August, the agency also dismissed nearly all of its systems administrators as a way to avoid another such massive leak.

As the NSA story began to unfold, more of us started to take our own operational security more seriously. (Ars even published its first list of staff PGP keys.) Snowden, of course, beat us all to the punch. As a veteran of intelligence agencies, he deeply understood the long arm of the United States. Snowden famously refused to communicate with Greenwald until the American reporter enabled PGP on his own computer.

Snowden’s e-mail provider of choice, the Texas-based Lavabit, came under newfound scrutiny. By the second week of August, Lavabit pulled the plug rather than succumbing to government pressure to hand over access to all of its users’ data, including Snowden’s. Less than a day later, Silent Circle did the same to its Silent Mail product—going so far as to physically destroy company servers.

The biggest bit of self-reflection and action likely came from the FISC, though. Created in 1978 under FISA, the court’s mandate (among other things) is to approve special surveillance warrants (FISA warrants) for American federal agencies to use against suspected foreign agents. One of 11 judges who are tapped from existing federal circuit judge posts nationwide can then grant a warrant’s approval. (The sitting chief justice of the Supreme Court, John Roberts, currently has the sole authority to nominate FISC judges.)

In the court’s history, warrants (and related orders) are approved more than 99 percent of the time.

But post-Snowden, in mid-June 2013, we saw a FISC milestone. Less than two weeks after the first leak, FISC granted its first-ever motion to not block disclosure of an earlier FISC opinion. And this was a doozy—the disclosed opinion declared parts of the NSA’s surveillance under Section 702 of the FISA Amendments Act to be unconstitutional. Today, the court’s publicly accessible docket remains pretty short, and in fact, the website didn't even exist prior to Snowden’s actions. The court’s decisions, orders, and warrants have been kept secret for 30 years.

In late August 2013, the publication of these documents showed that there have been many instances in which FISC judges had substantial questions about the NSA’s spying operations.

The longest item from the initial group was a previously secret October 2011 document from the FISC showing that the NSA "frequently and systematically violated" its own oversight requirements. The agency collected as many as 56,000 e-mails and communications by Americans with no connection to terrorism.

The federal judge authoring the opinion, FISC Judge John Bates, concluded that there is no way to know with certainty how far the government’s intelligence and surveillance capabilities have actually gone. In his 85-page opinion, Bates noted that his court originally approved the NSA's ability to capture a limited and targeted amount of data.

“In conducting its review and granting those approvals, the Court did not take into account NSA’s acquisition of Internet transactions, which now materially and fundamentally alters the statutory and constitutional analysis,” the judge wrote.

In a footnote, he added:

The Court is troubled that the government’s revelations regarding NSA’s acquisition of Internet transactions mark the third instance in less than three years in which the government has disclosed a substantial misrepresentation regarding the scope of a major collection program.

. . .

Contrary to the government’s repeated assurances, NSA had been routinely running queries of the metadata using querying terms that did not meet the required standard for querying. The Court concluded that this requirement had been “so frequently and systematically violated that it can fairly be said that this critical element of the overall… regime has never functioned effectively.”

A September 2013 release and another phone conference with reporters showed that FISC judges again had significant problems with the NSA’s actions. As expected, top intelligence officials downplayed the court's findings, insisting that the court "did not find any intentional effort" to violate the law.

"These are some incredibly complicated systems that NSA was not able to fully and accurately articulate to the court, in large part because no one at NSA had a full understanding of how the program was operating at the time," said Robert Litt, general counsel of the Office of the Director of National Intelligence.

“Simply beyond any reasonable understanding of the word”

Beyond new documents from the FISC, other traditional courts have become possible avenues to halt current mass surveillance programs. Within the first two months of the Snowden leaks, two major groups (the American Civil Liberties Union and the Electronic Frontier Foundation) filed separate but equally significant lawsuits as an attempt to halt the Verizon metadata handover program.

One of the strongest challenges to the metadata handover, at least in the court of public opinion, has come from Rep. James Sensenbrenner (R-WI), the original author of the PATRIOT Act. That post-September 11 piece of legislation (specifically its Section 215) is what the government claims gives it the authority to collect all this data.

As Sensenbrenner wrote in his filing:

The vast majority of the records collected will have no relation to the investigation of terrorism at all. This collection of millions of unrelated records is built-in to the mass call collection program. Defendants’ theory of “relevance” is simply beyond any reasonable understanding of the word. And it certainly is not what amicus intended the word to mean.

…

Defendants do not explain why Congress would have enacted such meaningless provisions. The bulk data collection program is unbounded in its scope. The NSA is gathering on a daily basis the details of every call that every American makes, as well as every call made by foreigners to or from the United States. How can every call that every American makes or receives be relevant to a specific investigation?

Beyond legal cases, there may be some hope of legislative relief to put the brakes on what has clearly become an overzealous data collection and foreign surveillance program.

“[FISC's] rulings and opinions need to be made public in order for public confidence to exist,” Wyden said. “Secret courts were one of the reasons that we rebelled against the English. Star chambers became a symbol of our reason for revolution, and secrecy should be really an anathema to our judicial process.”

Wyden and his colleagues pushed the idea of a “constitutional advocate,” or ombudsman, who would act as the government’s judicial adversary in an FISC hearing. He also addressed a likely rebuttal from the intelligence community: that valuable information may be lost if the judicial process is bogged down by appeals.

“There should be no delay from a constitutional advocate because the review can happen while the warrants are ongoing,” he said. “That appeal can be to SCOTUS or to [other] courts of appeals, to [the FISC of Review]. The appeal right now is nonexistent because only the government is represented. The constitutional advocate would have as its clients the rights of American citizens.”

However, due to the United States government October 2013 shutdown, the immediate prospects for passage of this act seem murky at best. After all, President Barack Obama’s surveillance review panel never convened as a result of the gridlock.

Share this story

Cyrus Farivar
Cyrus is a Senior Tech Policy Reporter at Ars Technica, and is also a radio producer and author. His latest book, Habeas Data, about the legal cases over the last 50 years that have had an outsized impact on surveillance and privacy law in America, is out now from Melville House. He is based in Oakland, California. Emailcyrus.farivar@arstechnica.com//Twitter@cfarivar